Welcome to your RSA Conference 2017 edition of #MobSec5. This year’s conference included a slew of mobile security talks as part of the Mobile & IoT Security track. You’ll find a list of those talks, along with recordings and slides, on the RSA Conference website.
Your heaping helping of mobile security reading material for your trip back home includes:
- History repeats itself? Google says no known exploits of Stagefright in the wild
- Ultimate espionage device gains entry to members-only club
- Still no cybersecurity EO, but maybe before the end of the month
Thanks for reading. Have a great weekend, be good, and stay safe.
Subscribe now to receive #MobSec5 updates each Friday in your inbox.
“Ludwig admits Android isn’t immune, but it’s well-built.”
During his RSA Conference 2017 talk “Delivering Secure, Client-Side Technology to Billions of Users,” Director of Android Security Adrian Ludwig discussed Google efforts to secure the Android platform. You can review Ludwig’s slides here. One slide, titled “Actual protection vs. newsworthy exploits,” compares three Android vulnerabilities that made headlines and any known exploits in the wild:
- Master Key vulnerability
- 99 percent of devices vulnerable
- No known exploits prior to public disclosure
- Less than eight devices per million exploited post-disclosure
- FakeID vulnerability
- 82 percent of Android users impacted
- No known exploits prior to public disclosure
- Less than one device per million exploited post-disclosure
- Stagefright vulnerability
- 95 percent of devices vulnerable
- No confirmed exploits pre- or post-disclosure
It’s fortunate that, as far as Google knows anyway, these Android vulnerabilities have not been exploited on a large scale. As NowSecure CEO Andrew Hoog warned during his own talk (save your seat for an encore webinar presentation next Tuesday), however, history will likely repeat itself — the fundamental ingredients for large scale mobile attacks and compromises exist. Remember that for years Microsoft Windows avoided major security incidents or wide-scale infections — that is until the ILOVEYOU worm in 2000. Predators follow their prey — more people are using more mobile devices more frequently for more sensitive transactions. The fact is millions of Android devices remain vulnerable to the very serious Stagefright bug (maybe even the personal device President Trump is rumored to be using), regardless of whether there’s evidence of attackers exploiting the vulnerability.
Trump under fire for lax security practices
“Trump took a phone call about North Korea’s missile test in full view of Mar-a-Lago guests, and the nuclear football made a Facebook cameo.”
Last Saturday evening, North Korea launched a ballistic missile. On the other side of the globe at the Mar-a-Lago club in Florida, President Trump dined with Japanese Prime Minister Shinzo Abe. Suddenly, the terrace became a flurry of activity as the two world leaders conferred over documents ablaze with the shine of a smartphone flashlight. As the Washington Post reports, “Phones — especially phones with their flashes turned on for improved visibility — are portable television satellite trucks and, if compromised, can be used to get a great deal of information about what’s happening nearby.” Press secretary Sean Spicer has said that only press conference logistics, nothing classified, were discussed during dinner and the president was briefed about the missile launch in a secure area. It’s still unclear whether President Trump uses a Secret Service-approved, secured smartphone, or an old, off-the-shelf Android device, or both. Two senators have asked for written confirmation by March 9 that Trump has a secured device in his possession and is using it, or if not, what device he is using.
This must be the year of mobile security
“If I gave you my phone right you’d be able to figure out a lot of stuff about me. If I didn’t unlock it you’d see some of the news I read, the apps I use, and even some of the messages I’ve gotten from my friends.”
“The enterprise privacy app, designed to separate personal and business information, is open to attacks putting corporate data at risk.”
The researchers were scheduled to present their findings Friday morning at RSA Conference during their talk “Mobile Containers—The Good, the Bad and the Ugly.” Slides and potentially a recording of the talk are likely to be published on the RSA Conference 2017 website.
Spyware’s Odd Targets: Backers of Mexico’s Soda Tax
(New York Times)
“The discovery of NSO’s spyware on the phones of Mexican nutrition policy makers, activists and even government employees raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.”
“A team of Dutch researchers has found a technique that undermines that so-called address space layout randomization, creating the You Are Here arrow that hackers need to orient themselves inside a stranger’s computer. That means any of the common memory corruption bugs found in software applications on a daily basis could lead to a much deeper takeover of a target PC or smartphone.”
“Kaspersky security researchers find missing security safeguards in nine different connected car apps.”
“Malware tricks users into opening Android Accessibility menu, enabling the attacker to mimic users’ clicks and select anything displayed on their screen.
“The Trump administration has held off on issuing an executive order on how it wants to federal agencies to enforce cyber-security.”
There’s still no official word on President Trump’s executive order on cybersecurity, though two documents said to be drafts of the order have been published. We told you what we thought about the original draft on the NowSecure blog. Late last week, the Lawfare Blog published what they claim to be a revised version. USA Today reported that some people expected the president to release the order during RSA Conference 2017. Congressman Bennie Thompson told Politico this week, “I now understand that it’s several drafts later. I heard today that [the finished version] could come out anytime between now and when the president speaks to Congress.” Trump plans to address Congress on Tuesday, February 28.
“Verizon Communications Inc. is close to a renegotiated deal for Yahoo! Inc.’s internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches at the web company, according to people familiar with the matter.”
“Corporate IT pros face the unenviable task of trying to protect valuable data from threats that change all the time. One vector of attack is clearly smartphones and tablets that employees use both for work and pleasure.”
WhatsApp rolls out two-factor authentication security
(Mobile World Live)
“WhatsApp’s 1.2 billion users will now have access to two-step verification, which means if someone else gets hold of their device or phone number, their messages will be safe.”
“Security researchers have wanted a peek at Wickr’s code since the secure messaging app launched in 2012, and now they’re finally getting that chance.”
“A few months ago I wrote about how you can encrypt your entire life in less than an hour. Well, all the security in the world can’t save you if someone has physical possession of your phone or laptop.”
“A security vulnerability in Windows 10 Mobile allows anyone to bypass the security code and access the photo gallery on a device running either production or preview builds shipped as part of the Windows Insider program.”
Google’s Verify Apps now shows apps that it has recently scanned
“You were sort of taking Google at its word as a user that Verify Apps was indeed rummaging around to keep tabs on things. Now you can see some of what it’s doing—the settings menu now shows which apps have recently been scanned.”
P.S. If you want to receive #MobSec5 updates each Friday in your inbox, subscribe now via the NowSecure Subscription Center.